Insecure or unset HTTP headers - Content-Security-Policy
Need
Implementation of secure and properly configured Content-Security-Policy headers
Context
- Usage of Java 8 for developing applications with enhanced features and performance
- Usage of javax.servlet-api for developing Java web applications with Servlets
Description
Non compliant code
import javax.servlet.http.HttpServletResponse;
public class UnsafeHeaderServlet extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// ... some code here ...
}
}
The above Java servlet does not set the Content-Security-Policy
HTTP header in its responses. This is a security vulnerability because the Content-Security-Policy
header is used to prevent Cross-Site Scripting (XSS) attacks and other code injection attacks resulting from execution of malicious content in the trusted web page context.
The Content-Security-Policy
header allows you to create a whitelist of sources of trusted content, and instructs the browser to only execute or render resources from those sources. Even if an attacker can inject a script tag into your HTML content, the browser will not execute the script if the script's source is not in the whitelist.
In the above code, the doGet
method sends a response to the client without setting the Content-Security-Policy
header. This means that the response could potentially contain malicious script that the browser will execute.
Steps
- Understand the purpose of the Content-Security-Policy header and its importance in web application security.
- Determine the appropriate security policies that need to be defined in the Content-Security-Policy header based on the application's requirements.
- Ensure that the Content-Security-Policy header is included in the server responses.
- Define the mandatory security policies in the Content-Security-Policy header to enforce secure behavior.
- Avoid using insecure values in the security policies, such as 'unsafe-inline' or 'unsafe-eval'.
- Regularly review and update the Content-Security-Policy header as needed to adapt to changes in the application's requirements and security best practices.
Compliant code
import javax.servlet.http.HttpServletResponse;
public class SafeHeaderServlet extends HttpServlet {
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
// Define the Content-Security-Policy header
response.setHeader("Content-Security-Policy", "default-src 'self'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';");
// ... some code here ...
}
}
The above code fixes the vulnerability by setting the Content-Security-Policy
header in the server's HTTP response. The Content-Security-Policy
header is a security feature that helps prevent attacks such as Cross-Site Scripting (XSS) and data injection attacks. It does this by specifying the domains that the browser should consider as valid sources of executable scripts.
In the fixed code, the Content-Security-Policy
header is set to only allow resources (scripts, images, stylesheets, etc.) to be loaded from the application's own domain ('self'
). This is done using the setHeader
method of the HttpServletResponse
object.
The default-src 'self';
directive sets the default policy for fetching resources such as JavaScript, Images, CSS, Font's, AJAX requests, Frames, HTML5 Media from the same origin.
The script-src 'self';
directive restricts where the browser can load JavaScript from to only the application's own domain.
The connect-src 'self';
directive restricts URLs which can be loaded using script interfaces.
The img-src 'self';
directive restricts from where the browser can load images.
The style-src 'self';
directive restricts from where the browser can load stylesheets.
By setting these policies, the application is protected against loading potentially malicious resources from unauthorized domains. This is a crucial step in securing the application against common web vulnerabilities.
Please note that the actual Content-Security-Policy
header value should be defined based on your application's specific requirements. The above is just a basic example and might not fit all use cases. Regularly review and update the Content-Security-Policy
header as needed to adapt to changes in the application's requirements and security best practices.